Iranian threat actor(s) have been observed using PowerShell modules and unmanaged PowerShell, allowing command and script execution while bypassing powershell.exe alerts. The Actor(s) are assessed to use these techniques and procedures in ransomware and mass collection campaigns, most recently in widespread exploitation of Log4j. The actor could quickly pivot this widespread exploitation to newer vulnerabilities as they are released. Alternatively, they may leverage the procedures in other campaigns such as phishing. Therefore, it is recommended that attack emulation, detection verification, and response are confirmed for the threat actor(s) observed PowerShell tooling and procedures.
Cyber Threat Intelligence
The threat actor is reported to be linked to the Iranian government and typically “conducts long-term, resource-intensive operations to collect strategic intelligence.” -Mandiant
It’s worth noting though Check Point states widespread targeting in the following quote, “Iranian nation-state actor, started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed.” -Check Point
Malpedia reports APT35 typically targets the U.S. and Middle Eastern organizations in the following sectors: Military, Diplomatic and Government Personnel, Media, Energy, Defense Industrial Base (DIB), Engineering, Business Services, and Telecommunications.
As previously mentioned, they have conducted widespread opportunistic attacks, such as in the Log4j observations by Check Point. Furthermore, Cyberreason has assessed APT35 could be linked to Memento Ransomware attacks due to “shared IP addresses, similar file naming schemes, and similar URL directory patterns.” -The Record
While it’s broadly accepted that APT35 commonly attacks to achieve state-sponsored intelligence collections, the group may be conducting or sharing infrastructure and capabilities with other groups to run opportunistic ransomware campaigns for profits.
Recent reports, including the Check Point report, suggest that the group or potential affiliates heavily leverage PowerShell and PowerShell modules.
- Cybereason - PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
- Check Point - APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
- Sophos Memento Report - New ransomware actor uses password-protected archives to bypass encryption protection
The SCYTHE APT35 Emulation focuses heavily on the PowerShell capabilities of the threat actor. The plan includes emulating the Applications, Screenshot, Processes, System Information, and Command Execution Modules reported in the Check Point report. Additionally, we’ve noted that the adversary has sought to bypass PowerShell monitoring by leveraging unmanaged PowerShell, so powershell.exe is not executed. Therefore, we leverage the SCYTHE PowerShell module, upsh, which runs PowerShell commands and scripts without using powershell.exe.
To manually conduct this emulation, download and execute the PowerShell scripts located here. The quickest and easiest way to replicate unmanaged PowerShell is to copy powershell.exe and rename it before running the scripts. To complete the plan, run the following commands in a PowerShell terminal.
- "wmic product get name, InstallLocation, InstallDate, Version"
- "tasklist /v /FO csv > tasklist"
- "cd C:/; ls;"
Following your emulation, there are three files to cleanup named info, tasklist, and help.jpg in your current working directory.
The first key detection opportunities are catching unmanaged PowerShell, which executes PowerShell without powershell.exe. SCYTHE emulates this via the PowerShell module shown below.
One recommended way to find unmanaged PowerShell is to alert on abnormal processes loading System.Management.Automation.Dll or System.Management.Automation.ni.Dll. Two SIGMA rules apply to catching the DLLs in abnormal processes and are a great starting point. Note that they do overlap but will help guide you in baselining this activity in your environment.
PSHost Pipe Detection
The next area around unmanaged PowerShell is to alert when suspicious applications create a pipe name starting with \PSHost. We recommend implementing the following SIGMA rule, which filters typical PShost pipe activity:
Below is an example of a PShost Pipename spawning from an uncommon process.
Possible Unmanaged Detections
The following two SIGMA alerts may also occur during unmanaged PowerShell. They will appear in SCYTHE emulations but are not inherently used every time unmanaged PowerShell is leveraged.
WMIC Enumerating Installs
The following detection opportunity is WMIC conducting enumeration of installed software, as in the step below.
If you can, we recommend baselining any WMIC activity in the environment. Alternatively, it is recommended to implement the WMIC Loading Scripting Libraries alert from SIGMA. This rule looks for an image of wmic.exe with an image loaded of jscript.dll or vbscript.dll.
Screenshot Module Detection
The following detection we’ll focus on is the screenshot module leveraged by the adversary. For detection, t’s possible to baseline what applications in the environment load System.Drawing.ni.dll or implement the Suspicious System.Drawing Load SIGMA Rule.
Suspicious Tasklist Activity
To detect this activity, baseline tasklist usage in your environment and tune out familiar users, hosts, or parent processes where applicable. In addition, the following SIGMA rule is available as well, Suspicious Tasklist Discovery Command.
There is another opportunity in the tasklist activity of redirecting command line output. To detect this, look for a command line containing the > character. Again, tuning of typical workstations, users, or parent processes may be necessary. Redirect Output in CommandLine is the SIGMA rule available for this activity.
To detect the threat actor’s systeminfo module, we recommend implementing the Suspicious Execution of Systeminfo SIGMA Rule. Alternatively, systeminfo.exe usage may be baselined for the environment and anomalies flagged as alerts.
Netsh WiFi Credential Harvesting
To detect the actor’s WiFi enumeration procedure, we recommend the SIGMA Harvesting of Wifi Credentials Using netsh.exe Rule. This rule looks for netsh.exe containing command-line strings of wlan, s, p, k, and =clear. Note that there may be legitimate usage of this at times, and baselining may be necessary.
If any of the alerts are detected in the environment, the response team should determine the depth of the Kill Chain, collect artifacts, and answer the following questions:
- Was the installation successful?
- What are the persistent mechanisms?
- Is Command & Control (C2) successful?
- What are the domain names, IP addresses, ports, and protocols used?
- Are there observations of Actions on Objectives (AOO)?
- What are they?
- Did the actor laterally move?
- Was sensitive data taken?
- Usernames, Passwords, Other?
- What caused the initial compromise?
- How was it delivered?
- What was exploited?
- Vulnerability, Control, Human?
Once it has been determined how deep the intrusion goes, containment, eradication, and recovery should begin. After recovery, lessons learned should drive additional courses of action (COAs) to thwart the threat should it return, such as implementing additional security controls. As always, please follow your organization's response plan and evidence retention policies. We also recommend leveraging NIST SP 800-61 Rev. 2.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
About the Author
Chris is an Adversary Emulation - Detection Engineer at SCYTHE, specializing in Purple Team Exercises and Detection Engineering. His previous experience includes multiple roles such as Cyber Threat Intelligence Analyst, Cyber Threat Hunter, Tier 3 SOC Analyst, Incident Responder, Cyber Security Consultant, and Purple Team Lead. He previously worked at Raytheon Intelligence & Space and General Dynamics OTS. Additionally, he has experience in multiple industries, including Energy, Finance, Healthcare, Technology, and Defense. Current certifications include GCTI, GCFA, GCED, eJPT, and CSIS.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.